Towards Robust Stacked Capsule Autoencoder with Hybrid Adversarial
Training
- URL: http://arxiv.org/abs/2202.13755v2
- Date: Tue, 1 Mar 2022 07:08:23 GMT
- Title: Towards Robust Stacked Capsule Autoencoder with Hybrid Adversarial
Training
- Authors: Jiazhu Dai, Siwei Xiong
- Abstract summary: Capsule networks (CapsNets) are new neural networks that classify images based on the spatial relationships of features.
The stacked capsule autoencoder (SCAE) is a state-of-the-art CapsNet, and achieved unsupervised classification of CapsNets for the first time.
We propose an evasion attack against SCAE, where the attacker can generate adversarial perturbations based on reducing the contribution of the object capsules.
We evaluate the defense method and the experimental results show that the refined SCAE model can achieve 82.14% classification accuracy under evasion attack.
- Score: 0.0
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Capsule networks (CapsNets) are new neural networks that classify images
based on the spatial relationships of features. By analyzing the pose of
features and their relative positions, it is more capable to recognize images
after affine transformation. The stacked capsule autoencoder (SCAE) is a
state-of-the-art CapsNet, and achieved unsupervised classification of CapsNets
for the first time. However, the security vulnerabilities and the robustness of
the SCAE has rarely been explored. In this paper, we propose an evasion attack
against SCAE, where the attacker can generate adversarial perturbations based
on reducing the contribution of the object capsules in SCAE related to the
original category of the image. The adversarial perturbations are then applied
to the original images, and the perturbed images will be misclassified.
Furthermore, we propose a defense method called Hybrid Adversarial Training
(HAT) against such evasion attacks. HAT makes use of adversarial training and
adversarial distillation to achieve better robustness and stability. We
evaluate the defense method and the experimental results show that the refined
SCAE model can achieve 82.14% classification accuracy under evasion attack. The
source code is available at https://github.com/FrostbiteXSW/SCAE_Defense.
Related papers
- Meta Invariance Defense Towards Generalizable Robustness to Unknown Adversarial Attacks [62.036798488144306]
Current defense mainly focuses on the known attacks, but the adversarial robustness to the unknown attacks is seriously overlooked.
We propose an attack-agnostic defense method named Meta Invariance Defense (MID)
We show that MID simultaneously achieves robustness to the imperceptible adversarial perturbations in high-level image classification and attack-suppression in low-level robust image regeneration.
arXiv Detail & Related papers (2024-04-04T10:10:38Z) - Towards Robust Image Stitching: An Adaptive Resistance Learning against
Compatible Attacks [66.98297584796391]
Image stitching seamlessly integrates images captured from varying perspectives into a single wide field-of-view image.
Given a pair of captured images, subtle perturbations and distortions which go unnoticed by the human visual system tend to attack the correspondence matching.
This paper presents the first attempt to improve the robustness of image stitching against adversarial attacks.
arXiv Detail & Related papers (2024-02-25T02:36:33Z) - Realistic Scatterer Based Adversarial Attacks on SAR Image Classifiers [7.858656052565242]
An adversarial attack perturbs SAR images of on-ground targets such that the classifiers are misled into making incorrect predictions.
We propose the On-Target Scatterer Attack (OTSA), a scatterer-based physical adversarial attack.
We show that our attack obtains significantly higher success rates under the positioning constraint compared with the existing method.
arXiv Detail & Related papers (2023-12-05T17:36:34Z) - SAIF: Sparse Adversarial and Imperceptible Attack Framework [7.025774823899217]
We propose a novel attack technique called Sparse Adversarial and Interpretable Attack Framework (SAIF)
Specifically, we design imperceptible attacks that contain low-magnitude perturbations at a small number of pixels and leverage these sparse attacks to reveal the vulnerability of classifiers.
SAIF computes highly imperceptible and interpretable adversarial examples, and outperforms state-of-the-art sparse attack methods on the ImageNet dataset.
arXiv Detail & Related papers (2022-12-14T20:28:50Z) - CARBEN: Composite Adversarial Robustness Benchmark [70.05004034081377]
This paper demonstrates how composite adversarial attack (CAA) affects the resulting image.
It provides real-time inferences of different models, which will facilitate users' configuration of the parameters of the attack level.
A leaderboard to benchmark adversarial robustness against CAA is also introduced.
arXiv Detail & Related papers (2022-07-16T01:08:44Z) - Attacking Video Recognition Models with Bullet-Screen Comments [79.53159486470858]
We introduce a novel adversarial attack, which attacks video recognition models with bullet-screen comment (BSC) attacks.
BSCs can be regarded as a kind of meaningful patch, adding it to a clean video will not affect people' s understanding of the video content, nor will arouse people' s suspicion.
arXiv Detail & Related papers (2021-10-29T08:55:50Z) - Combating Adversaries with Anti-Adversaries [118.70141983415445]
In particular, our layer generates an input perturbation in the opposite direction of the adversarial one.
We verify the effectiveness of our approach by combining our layer with both nominally and robustly trained models.
Our anti-adversary layer significantly enhances model robustness while coming at no cost on clean accuracy.
arXiv Detail & Related papers (2021-03-26T09:36:59Z) - Adversarial Attacks are Reversible with Natural Supervision [28.61536318614705]
Images contain intrinsic structure that enables the reversal of many adversarial attacks.
We demonstrate that modifying the attacked image to restore the natural structure will reverse many types of attacks.
Our results suggest deep networks are vulnerable to adversarial examples partly because their representations do not enforce the natural structure of images.
arXiv Detail & Related papers (2021-03-26T02:21:40Z) - A Neuro-Inspired Autoencoding Defense Against Adversarial Perturbations [11.334887948796611]
Deep Neural Networks (DNNs) are vulnerable to adversarial attacks.
Most effective current defense is to train the network using adversarially perturbed examples.
In this paper, we investigate a radically different, neuro-inspired defense mechanism.
arXiv Detail & Related papers (2020-11-21T21:03:08Z) - An Evasion Attack against Stacked Capsule Autoencoder [0.0]
We propose an evasion attack against the Stacked Capsule Autoencoder (SCAE)
We evaluate the attack using an image classification experiment, and the experimental results indicate that the attack can achieve high success rates and stealthiness.
arXiv Detail & Related papers (2020-10-14T16:44:10Z) - Dual Manifold Adversarial Robustness: Defense against Lp and non-Lp
Adversarial Attacks [154.31827097264264]
Adversarial training is a popular defense strategy against attack threat models with bounded Lp norms.
We propose Dual Manifold Adversarial Training (DMAT) where adversarial perturbations in both latent and image spaces are used in robustifying the model.
Our DMAT improves performance on normal images, and achieves comparable robustness to the standard adversarial training against Lp attacks.
arXiv Detail & Related papers (2020-09-05T06:00:28Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.